IPTables
von _alex_- SNIPPET_TEXT:
-
- #!/bin/bash
- # ---------------------------------------------------------------------
- # Linux-iptables-Firewallskript, Copyright (c) 2006 under the GPL
- # Autogenerated by iptables Generator v1.22 (c) 2002-2006 by Harald Bertram|
- # Please visit http://harry.homelinux.org for new versions of
- # the iptables Generator (c).
- #
- # This Script was generated by request from:
- # Alex_Heinrich@web.de on: 2006-9-11 8:40.56 MET.
- #
- # If you have questions about the iptables Generator or about
- # your Firewall-Skript feel free to take a look at out website or
- # send me an E-Mail to webmaster@harry.homelinux.org.
- #
- # My special thanks are going to Lutz Heinrich (trinitywork at hotmail dot com)
- # who made lots of Beta-Testing and gave me lots of well qualified
- # Feedback that made me able to improve the iptables Generator.
- # --------------------------------------------------------------------
- case "$1" in
- start)
- echo "Starte IP-Paketfilter"
- # iptables-Modul
- modprobe ip_tables
- # Connection-Tracking-Module
- modprobe ip_conntrack
- # Das Modul ip_conntrack_irc ist erst bei Kerneln >= 2.4.19 verfuegbar
- modprobe ip_conntrack_irc
- modprobe ip_conntrack_ftp
- # Tabelle flushen
- iptables -F
- iptables -t nat -F
- iptables -t mangle -F
- iptables -X
- iptables -t nat -X
- iptables -t mangle -X
- # Default-Policies setzen
- iptables -P INPUT DROP
- iptables -P OUTPUT DROP
- iptables -P FORWARD DROP
- # MY_REJECT-Chain
- iptables -N MY_REJECT
- # MY_REJECT fuellen
- iptables -A MY_REJECT -p tcp -m limit --limit 7200/h -j LOG --log-prefix "REJECT TCP "
- iptables -A MY_REJECT -p tcp -j REJECT --reject-with tcp-reset
- iptables -A MY_REJECT -p udp -m limit --limit 7200/h -j LOG --log-prefix "REJECT UDP "
- iptables -A MY_REJECT -p udp -j REJECT --reject-with icmp-port-unreachable
- iptables -A MY_REJECT -p icmp -m limit --limit 7200/h -j LOG --log-prefix "DROP ICMP "
- iptables -A MY_REJECT -p icmp -j DROP
- iptables -A MY_REJECT -m limit --limit 7200/h -j LOG --log-prefix "REJECT OTHER "
- iptables -A MY_REJECT -j REJECT --reject-with icmp-proto-unreachable
- # MY_DROP-Chain
- iptables -N MY_DROP
- iptables -A MY_DROP -m limit --limit 7200/h -j LOG --log-prefix "PORTSCAN DROP "
- iptables -A MY_DROP -j DROP
- # Alle verworfenen Pakete protokollieren
- iptables -A INPUT -m state --state INVALID -m limit --limit 7200/h -j LOG --log-prefix "INPUT INVALID "
- iptables -A OUTPUT -m state --state INVALID -m limit --limit 7200/h -j LOG --log-prefix "OUTPUT INVALID "
- iptables -A FORWARD -m state --state INVALID -m limit --limit 7200/h -j LOG --log-prefix "FORWARD INVALID "
- # Korrupte Pakete zurueckweisen
- iptables -A INPUT -m state --state INVALID -j DROP
- iptables -A OUTPUT -m state --state INVALID -j DROP
- iptables -A FORWARD -m state --state INVALID -j DROP
- # Stealth Scans etc. DROPpen
- # Keine Flags gesetzt
- iptables -A INPUT -p tcp --tcp-flags ALL NONE -j MY_DROP
- iptables -A FORWARD -p tcp --tcp-flags ALL NONE -j MY_DROP
- # SYN und FIN gesetzt
- iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j MY_DROP
- iptables -A FORWARD -p tcp --tcp-flags SYN,FIN SYN,FIN -j MY_DROP
- # SYN und RST gleichzeitig gesetzt
- iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j MY_DROP
- iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN,RST -j MY_DROP
- # FIN und RST gleichzeitig gesetzt
- iptables -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j MY_DROP
- iptables -A FORWARD -p tcp --tcp-flags FIN,RST FIN,RST -j MY_DROP
- # FIN ohne ACK
- iptables -A INPUT -p tcp --tcp-flags ACK,FIN FIN -j MY_DROP
- iptables -A FORWARD -p tcp --tcp-flags ACK,FIN FIN -j MY_DROP
- # PSH ohne ACK
- iptables -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j MY_DROP
- iptables -A FORWARD -p tcp --tcp-flags ACK,PSH PSH -j MY_DROP
- # URG ohne ACK
- iptables -A INPUT -p tcp --tcp-flags ACK,URG URG -j MY_DROP
- iptables -A FORWARD -p tcp --tcp-flags ACK,URG URG -j MY_DROP
- # Loopback-Netzwerk-Kommunikation zulassen
- iptables -A INPUT -i lo -j ACCEPT
- iptables -A OUTPUT -o lo -j ACCEPT
- # Maximum Segment Size (MSS) f
Quellcode
Hier kannst du den Code kopieren und ihn in deinen bevorzugten Editor einfügen. PASTEBIN_DOWNLOAD_SNIPPET_EXPLAIN